Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


StreamHandle Contexts

0mWindyBug0mWindyBug Member Posts: 29
edited January 9 in NTFSD

hey!
I'm having a look at a filter driver that monitors files for modifications and backs them up somewhere, it will not always back content up but only in case it identifies what is considered by it "suspicious" (say multiple file modifications in a short space of time to documents)
what I find weird is it gets a stream handle context during the pre operation for write , but the context is allocated at cleanup...? what I expected is that it will be allocated somewhere at file create which it doesnt even filter at all ... can anyone elighten me into why would one use such design to backup file content for potential need to restore it? how could that work ?
here's the preoperation for file writes
`__int64 __fastcall preop_file_write(__int64 Data, __int64 FltObjects, _QWORD *Context)
{
__int64 v4[3]; // [rsp+20h] [rbp-18h] BYREF

v4[0] = 0i64;
FltGetStreamHandleContext(*(_QWORD *)(FltObjects + 0x18), *(_QWORD *)(FltObjects + 32), v4);
if ( !v4[0] )
return 1i64;
*Context = v4[0];
return 0i64;
}`

and the pre operation for file cleanup
`__int64 __fastcall preop_cleanup(__int64 Data, __int64 FltObjects, _QWORD *Context)
{
__int64 context_type_stream_handle; // rdx
int v5; // eax
__int64 v6; // rax
__int64 info_token_and_sid; // rax
char v8; // [rsp+30h] [rbp-38h]
int status; // [rsp+34h] [rbp-34h]
unsigned int RequestorProcessId; // [rsp+3Ch] [rbp-2Ch]
__int64 returned_context; // [rsp+40h] [rbp-28h] BYREF
__int64 file_name_information; // [rsp+48h] [rbp-20h] BYREF
__int64 v13[3]; // [rsp+50h] [rbp-18h] BYREF

returned_context = 0i64;
if ( !sub_180037C30(Data) )
return 1i64;
if ( (int)FltGetFileNameInformation(Data, 1026i64, &file_name_information) < 0 )
return 1i64;
status = FltParseFileNameInformation(file_name_information);
if ( status >= 0 )
{
LOWORD(context_type_stream_handle) = 0x10;
status = FltAllocateContext(filter, context_type_stream_handle, 280i64, 0i64, &returned_context);
if ( status >= 0 && returned_context )
{
memset(returned_context, 0i64, 280i64);
RequestorProcessId = FltGetRequestorProcessId(Data);
v13[0] = 0i64;
lookup_avl_table_two(RequestorProcessId, v13);
some_string_ops_one_filename(returned_context, file_name_information + 8);
some_string_ops_one_filename(returned_context + 8, file_name_information + 56);
v5 = insert_generic_avl_table(*(_QWORD *)returned_context);
*(_DWORD *)(returned_context + 16) = v5;
*(_BYTE *)(returned_context + 20) = 0;
*(_BYTE *)(returned_context + 21) = *(_WORD *)(file_name_information + 72) != 0;
*(_QWORD *)(returned_context + 24) = 0i64;
sub_180043890(returned_context + 32);
*(_DWORD *)(returned_context + 40) = RequestorProcessId;
v6 = get_avl_table_element_and_do_something(v13[0]);
*(_QWORD *)(returned_context + 48) = v6;
*(_QWORD *)(returned_context + 56) = *(_QWORD *)(Data + 8);
info_token_and_sid = query_info_token(Data);
*(_QWORD *)(returned_context + 64) = info_token_and_sid;
*(_BYTE *)(returned_context + 104) = *(_BYTE *)(Data + 80);
*(_DWORD *)(returned_context + 108) = *(unsigned __int16 *)(*(_QWORD *)(Data + 16) + 42i64);
*(_DWORD *)(returned_context + 112) = *(_DWORD *)(*(_QWORD *)(Data + 16) + 32i64) & 0xFFFFFF;
*(_DWORD *)(returned_context + 116) = (unsigned __int8)HIBYTE(*(_DWORD *)(*(_QWORD *)(Data + 16) + 32i64));
*(_DWORD *)(returned_context + 120) = *(_DWORD *)(*(_QWORD *)(*(_QWORD *)(Data + 16) + 24i64) + 16i64);
*(_QWORD *)(returned_context + 128) = 0i64;
*(_DWORD *)(returned_context + 140) = 0;
}
FltReleaseFileNameInformation(file_name_information);
if ( (unsigned __int8)verify_version_info() && status >= 0 && returned_context )
{
sub_180035E50(Data, returned_context + 80, returned_context + 72, returned_context + 96);
status = 0;
}
}
else
{
FltReleaseFileNameInformation(file_name_information);
}
if ( status >= 0 && returned_context )
{
if ( (unsigned __int8)sub_1800350E0(Data, FltObjects, returned_context) )
{
v8 = 0;
if ( *(_DWORD *)(*(_QWORD *)(*(_QWORD *)(Data + 16) + 24i64) + 16i64) != *(_DWORD *)(returned_context + 120) )
{
*(_DWORD *)(*(_QWORD *)(*(_QWORD *)(Data + 16) + 24i64) + 16i64) = *(_DWORD *)(returned_context + 120);
v8 = 1;
}
if ( *(unsigned __int16 *)(*(_QWORD *)(Data + 16) + 42i64) != *(_DWORD *)(returned_context + 108) )
{
*(_WORD *)(*(_QWORD *)(Data + 16) + 42i64) = *(_WORD *)(returned_context + 108);
v8 = 1;
}
if ( v8 )
FltSetCallbackDataDirty(Data);
*Context = returned_context;
return 0i64;
}
else
{
FltReleaseContext(returned_context);
*(_DWORD *)(Data + 24) = -1073741790;
*(_QWORD *)(Data + 32) = 0i64;
return 4i64;
}
}
else
{
if ( returned_context )
FltReleaseContext(returned_context);
return 1i64;
}
}`

and lastly the post operation for cleanup where the context is set
`__int64 __fastcall postop_cleanup(__int64 Data, __int64 FltObjects, __int64 Context)
{
__int64 v5[3]; // [rsp+40h] [rbp-18h] BYREF

if ( !Context )
return 0i64;
(_QWORD *)(Context + 128) = *(_QWORD *)(Data + 32);
if ( *(int *)(Data + 24) >= 0 )
sub_1800378C0(Data, FltObjects, Context);
sub_1800351B0(FltObjects, Data, Context);
if ( *(int *)(Data + 24) >= 0 )
{
v5[0] = 0i64;
*(_QWORD *)(Context + 88) = *(_QWORD *)(FltObjects + 32);
** FltSetStreamHandleContext(
(_QWORD *)(FltObjects + 24), *(_QWORD *)(FltObjects + 32), 0i64, Context, v5);**
if ( v5[0] )
FltReleaseContext(v5[0]);
FltReleaseContext(Context);
return 0i64;
}
else
{
FltReleaseContext(Context);
return 0i64;
}
}`

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online